WhatsApp account theft via voicemail has gone from being a rarity to becoming a widespread method. In many cases, the victim doesn't even need to click on links or install anything: all that's needed is for the verification code to end up on the voicemail, and the attacker knows how to listen to it. In this guide, we explain in detail how they operate, what warning signs should alert you, and, above all, how to protect yourself from this. The key idea: a poorly configured voicemail is an open door.
Organizations such as INCIBE and various police forces have detected a surge in this scam and have described its mechanics step by step. The technique combines social engineering with common oversights (mailboxes with default PINs, missed international calls, busy lines) to register your number on another mobile phone. If the WhatsApp code ends up saved in your mailbox and the attacker accesses it, the account will be blocked..
What's happening and why does it work?
The starting point is always registering your number on someone else's device. As a security measure, WhatsApp sends a six-digit code via SMS or call. If you don't answer, the app offers to resend it via voice call, and if you still don't answer, the message with the code is saved in your voicemail. That's where many cybercriminals focus..
Why is it so easy for them? Because most voicemails are enabled by default and protected with weak or default PINs (such as 0000 or 1234). In this scenario, an attacker can call your number, access your voicemail from another line, and listen to the audio with the verification code. A careless setup allows anyone who guesses your PIN to log in as you..
A real case that reveals the trick
INCIBE's 017 hotline assisted an adult woman who lost control of her WhatsApp account after receiving calls from foreign numbers (Germany and England) that she didn't answer. Shortly after, a message appeared in her inbox with a WhatsApp login verification code and a missed call that ended up on her answering machine. The victim became suspicious because the same thing had happened to a friend of his the day before..
The hypothesis is clear: the attackers could have removed their phone from the address book of the friend they had already compromised and then tried to access their WhatsApp account. With the code deposited in the voicemail and a weak PIN, accessing the voicemail was a piece of cake. It's a chain: they steal from one, harvest contacts and try the rest..
Voicemail Fraud Step-by-Step
- The attacker starts registering your number on another phone. WhatsApp triggers code sending.
- If you don't read the SMS or answer the call, the system offers voice verification. The unanswered call ends up in the mailbox.
- The answering machine records the audio with the six-digit code. That recording remains available in your mailbox..
- The criminal calls your number to access your voicemail and listen to your messages; if your PIN is weak or predetermined, they'll guess it. Recover the audio code.
- With the code in hand, complete the registration on your mobile and close your session. Your account is under their control.
To increase their chances, they often force you to not be able to answer: they call you several times in a row to tie up the line, they choose nighttime hours when you won't answer, or they even take advantage of you having your phone turned off or in airplane mode. The goal is for the voice with the code to land in the mailbox, no matter what..
What do they do with your account next?
Once inside, they impersonate you in chats and groups, demand money with urgent excuses, or send malicious links, taking advantage of the trust you inspire in your contacts. At the same time, they can review sensitive content you have in your chats, such as photos or conversations, for extortion purposes. Your number and your name become the perfect alibi.
Additionally, they often activate two-step verification to block you from returning immediately. If they do this, even if you try to recover your account, you may not be able to log in for up to seven days without that PIN. Time is on your side if you don't react quickly..
Other common methods of WhatsApp theft
Along with the voicemail trick, outright deception is still in effect: a contact (or someone pretending to be one) texts you saying they accidentally sent you a six-digit code and asks you to resend it. Once you share it, you lose control of the account. Never share verification codes with anyone, not even family members..
Another real threat is the . If a criminal manages to process a duplicate at a careless store, they'll receive your verification texts and calls, and have free access to your voicemail. Poorly verified identity at the operator opens the door to multiple frauds.
Clear signs that your account has been deleted
- You get a warning that your number has been registered on another device, or you can't log in at all. The system kicks you out without you having done anything.
- Your contacts say they receive strange messages in your name asking for money, or they see strange behavior in groups. Third-party alerts are gold.
- Changes to your photo, status, or profile information that you didn't make, or messages marked as read that you didn't open. Small details that reveal foreign activity.
- You have open sessions on WhatsApp Web or Desktop that you don't recognize, or the system asks you to verify your number for no apparent reason. The presence of unknown devices is a clear symptom.
What to do if your account has already been stolen
Act quickly. The first step is to try re-registering your number in the app to force the attacker to log out. Entering the new six-digit code you receive will kick the attacker out. Immediate reactivation usually nips impersonation in the bud.
If the criminal has enabled two-step verification and you don't have their PIN, you may not be able to log in right away. In that case, you'll have to wait up to seven days to log in without that PIN. During that time, focus on containing damage and notifying your contacts..
Contact your carrier if you've lost your phone or suspect a duplicate SIM to block your line and prevent further verification. Also, once you regain access, check the devices linked to WhatsApp Web/Desktop and close any you don't recognize. Check any entrance doors that may have been left open.
Write to support@whatsapp.com explaining what happened and requesting assistance. If you don't receive a response or if it's unsatisfactory, you can contact WhatsApp's Data Protection Officer. If you don't receive a solution after a month, you can file a complaint with the Spanish Data Protection Agency. Escalate via data protection when care is not adequate.
Save evidence: screenshots, suspicious messages, emails, callers, dates and times. Submit complaint to the State Security Forces and Corps, indicating that your identity has been stolen and detailing possible fraud against third parties. Traceability of evidence is key to investigating and stopping fraud..
Change your voicemail PIN immediately or deactivate it if you're not using it; don't give in to blackmail or pay ransoms, and cut off communication with the attacker. Inform your contacts so they can ignore messages demanding money or data. Reduce the impact by alerting everyone around you as soon as possible..
If you need support, INCIBE is available at Helpline 017 every day from 08:00 a.m. to 23:00 p.m. In Mexico City, the SSC Cyber ​​Police offers 24/7 assistance at 55 5242 5100 ext. 5086, at policia.cibernetica@ssc.cdmx.gob.mx, and on their official profiles. You are not alone: ​​there are public channels to advise you and take action.
How to protect your account so it doesn't happen again
Enable two-step verification in WhatsApp (Settings > Account > Two-Step Verification) and set a PIN that only you know. Add a recovery email so you don't lose control if you forget your PIN. This extra layer stops unauthorized registrations even if they steal your initial code..
Strengthen your voicemail: Change the default PIN to a strong one, avoid birth dates or easy sequences, and if you don't use it, consider disabling it. Your carrier will guide you; in some cases, setup begins by dialing *86 from your mobile phone. A properly configured mailbox cuts off audio access with the code.
Never share the six-digit verification code with anyone, no matter how convincing the story sounds (not even friends or family). If someone texts you in a hurry asking for that code, call them and verify the situation. Compare what they ask you via chat in a different way.
Strengthen your privacy: Limit who sees your profile picture to My Contacts, review your visible information, and be wary of messages with financial emergencies. Before any transfer, hang up and call them back to the number you have saved to confirm. Prudence nips many scams in the bud.
Keep your phone protected with a screen lock, update the system and app, avoid clicking on suspicious links, and regularly review linked devices. Consider reputable security solutions if they help you detect unusual behavior. Daily digital hygiene is the best insurance.
If you think you're being scammed right now
You receive several calls in a row, many from international numbers, and when you return the call, no one answers. A WhatsApp call follows, but you don't answer, and soon after, you notice a new message in your inbox. Cut it short: don't listen to your inbox until you change your PIN, and don't respond to messages that ask for codes. Break the chain where the attacker expects you to fall.
If your line is constantly busy because you're being bombarded with calls, temporarily activate voicemail forwarding or turn off voicemail completely with the help of your operator. Then, resume service with a new, strong PIN. Remove the weak link, even if only temporarily..
Institutional councils and channels of complaint
The recommendations from organizations like INCIBE include notifying all your contacts, contacting WhatsApp support, contacting the data protection officer if they don't respond, and, as a last resort, filing a complaint with the Spanish Data Protection Agency (AEPD) if a month goes by without a solution. At the same time, report the incident to the police or Civil Guard and provide all the evidence. The technical and legal paths must go hand in hand.
Local authorities, such as the SSC Cyber ​​Police in Mexico City, emphasize activating two-step verification, properly configuring your inbox, using strong PINs, and avoiding sharing sensitive information via messaging. They also recommend logging out of unused or lost devices. Prevention is the best defense against these frauds..
About the quality of the information you consult
Some sites include surveys to evaluate their content (design, navigation, clarity, organization, language). Beyond this self-assessment, you can also apply these criteria when reading security guides: look for clear, well-organized texts with understandable language. Reliable and accurate information helps you make better decisions under pressure..
- Design and navigation: that allows you to quickly find what is important.
- Clarity and precision: that explains the fraud without unnecessary technicalities.
- Organisation: that differentiates prevention, detection and response.
- Language: that it be close, direct and unambiguous.
Final reminder of good practices
Before answering a verification voice call, consider whether you initiated the process; if not, be suspicious. Avoid leaving verification calls unanswered when you're actually trying to register your account (so they don't end up in your inbox), and if you're not registering anything, ignore them and check your inbox only after changing your PIN. The coherence between what you do and what reaches your mobile is your compass.
If a friend asks you for money on WhatsApp, even if it sounds like their way of speaking, stop, call, and validate. If you're notified of unusual activity on your profile, investigate immediately: check linked devices, change related passwords, and take preventive measures. Off-chat verification cuts out many apparent frauds.
Protecting WhatsApp isn't complicated if you address the known weaknesses: enable two-step verification, strengthen or disable voicemail, never share codes, watch for signs of impersonation, and if it occurs, react quickly while alerting your friends and family and the authorities. With four well-established measures, this scam will be erased. Share this guide so more people can learn how to manage their WhatsApp accounts and prevent them from being stolen..